For a company whose main focus is on dissecting malicious binaries, ESET’s researchers spend a lot of time thinking and talking about encryption. And given that the static password is a flawed authentication mechanism that should, according to most expert opinion, have been quietly euthanized decades ago, it might seem strange that so much of that attention, at least in terms of informational writing, has been about improving password practice. (In fact, I only recently wrote about it in Cybercrime Corner.)
But you work with what you’ve got.
Customers don’t generally get to choose what authentication a given product or service offers. Sometimes, they don’t even get to choose their own password. But if they do, how well do they choose?
Despite all the Irish jokes that were a staple of politically incorrect entertainment a few decades ago, a recent survey carried out by Amárach on behalf of ESET Ireland indicates that IT users in Ireland are actually a little smarter in this context than the global average. At any rate, 38 percent out of a thousand people sampled use an alphanumeric string for their passwords, though only 10 percent used a combination of mixed-case letters, numbers and punctuation. However, a further 10 percent used mixed case letters and numbers. (Again, the service provider often doesn’t support all these possibilities, and may limit the length of a password or passphrase.) Demographic factors apart, that does seem to indicate an encouraging move away from the top 5 passwords stolen in last year’s attacks on Gawker sites:
Or the earlier attacks on Rockyou.com users, as analyzed by Imperva.
By comparison, even a short password like “fjR8n” sounds pretty good. Though, in fact, I’ve just abstracted that one from a blog on GPU Password Cracking – Bruteforceing a Windows Password Using a Graphic Card, that illustrated how the author, Vijay Devakumar, cracked that one in 24 seconds using Cain and Abel, and in less than one second using ighashgpu, each time in combination with a graphics card. Don’t panic: those operations depended on already having the password’s NTLM hash, as used for login passwords for modern versions of Windows, so your eight-character banking password didn’t just become 18.5 hours away from cracking by LulzSec. In fact, no rational service lets you bruteforce by throwing guesses at it at a rate of 3.334 billion passwords per second: it probably stops you after the third try. Still, if you thought that this kind of processing performance relied on access to NSA mainframes, think again.
Tip of the hat to Urban Schrott for the ESET Ireland survey, to Rick Broida for the naff password list links, and to Paul Ferguson, Valdis Kletnieks et al for discussion on the Funsec GPU thread.